发送信息格式如下:
plainText:{_appid=wxc83c20b17ec9145b, secret=xxxx, _timestamp=1721029495, _n=edZ2+CQKApzao/UXFEIawA}
url及参数:https://api.weixin.qq.com/cgi-bin/token?appid=wxc83c20b17ec9145b&secret=xxxx&grant_type=client_credential
headers:[Content-Length:"244", Content-Type:"application/json", Wechatmp-Appid:"wxc83c20b17ec9145b", Wechatmp-TimeStamp:"1721029495", Wechatmp-Signature:"a1hAInGl6qKF8xDaa+bTiuvWYVHdTvxmadWVjIURO/qnpxeAPrvV7ifvK7ZUv4I5ylXWmnuqUXOQJTlnIreM93S6SIckwXCV+HZoiysK0VS+QG6bmGmSeM1YyHpf+cQ9Cn/uOQNBnnaGAqmZtUHF3SQPoLDWruKNn9c3eEM45bQ5A/IJthIRymG8dpCxAjdwdgUoMrYVj7N+e6E8IAufvrQRXIr0Yx0srVmDazXtpt+wCXGbhsSqCWQFxcQILN9Hy0SUnpsqtNUvjIjiIH8jfPvKZUKhlmNkR3G8SrSE152ClpwGJIysewP/3qzx1n1edhbPHXRAr6zZE//U45wc2w=="]
jsonBody:{"data":"3XB3m7Mp9wGENZH+56TK1kDg164KMPzsovSC11Ti12p75YOLm63k0m1+XKdf3oto3UM9tOEnIfg4ZEfpNvL1IJwICBZlYiUx0Y7RZyM9+FyHBaLUhQAVSzLPjBNFOtteHKMfv1NgAeb/QHRaIAJzeHx3rftz9MkL6ngfMXXe9aIP","authTag":"hjDUNQLaJ4RETByrMgrjnQ==","iv":"mgyPjBsa1qIk4NIP"}
返回 rid:6694d376-05c82783-3499c23c
你好,麻烦使用下这个脚本调试。链接: https://pan.baidu.com/s/1_e4h7kRB385zuHMBdoEZOw?pwd=xixi 提取码: xixi
from Crypto.Hash import SHA256
import base64
pub_key = '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3FoQOmOl5/CF5hF7ta4E\nzCy2LaU3Eu2k9DBwQ73J82I53Sx9LAgM1DH3IsYohRRx/BESfbdDI2powvr6QYKV\nIC+4Yavwg7gzhZRxWWmT1HruEADCZAgkUCu+9Il/9FPuitPSoIpBd07NqdkkRe82\nNBOfrKTdhge/5zd457fl7J81Q5VTIxO8vvq7FSw7k6Jtv+eOjR6SZOWbbUO7f9r4\nUuUkXmvdGv21qiqtaO1EMw4tUCELzY73M7NpCH3RorlommYX3P6q0VrkDHrCE0/Q\nMhmHsF+46E+IRcJ3wtEj3p/mO1VoCpEhawC1U728ZUTwWNEii8hPEhcNAZTKaQMa\nTQIDAQAB\n-----END PUBLIC KEY-----'
m = b'''https://api.weixin.qq.com/wxa/getuserriskrank
wxba6223c06417af7b
1635927954
{"iv":"fmW/zNxXlytUZBgj","data":"0IDVdrPtSPF/Oe2CTXCV2vVNPbVJdJlP2WaTMQnoYLh5iCrrSNfQFh25EnStDMf0hLlVNBCZQtf9NaV0m4aRA4AAYIO7oR/Ge+4yY4EmZp5EVPB42xjScgMx5X3D4VdLCfynXIUKUtZHZvk1zmLVE3RauzJgiM1BB1CPmwcENo3MTJ0z8Vfkf5tMv54kOXobDLlV5rfqKdAX7gM/rP82DgZdt9vvZX44ipdbHIjJvw83ZXAFtvftdVw2Qd8=","authtag":"5qeM/2vZv+6KtScN94IpMg=="}'''
bsig = 'wcSSWHZunjz9VKl9q+If9deiyECXDAELfAJNZ4+5T+NhFr8zfhkwdQtlgQ7nN5xs99R57La9UjBTRBGge2KYyshWtw7HIMPAqWNsnpHvx0b2f7s6Bt7OpfOQLlIfNgepgTVmUwrqW8/7A12szj7tCe/bRFilwnaX6N0w4duHlfL7ic7IIZXouvy9dLRAa5GtEk1eD/LPWRiKh0SvJ3znPY/pSiQW9zSkXVdj9UGGM8qcKLzPGJ7gSmt3ZOPkFapk9wqFmhJwQj//xN5+hUlr2UiNPMNSHve5Y2ADLsNHqk5t7RfAZ8nW9/8lzhVt4t+toy1FeehxCGIC8qgmjIl1hg=='
pub_key = RSA.import_key(pub_key)
n, e = pub_key.n, pub_key.e
print('n,e:', n, e)
sig = base64.b64decode(bsig)
isig = int.from_bytes(sig, 'big')
rstr = pow(isig, e, n)
bstr = rstr.to_bytes(256, 'big')
if bstr[-1] != 0xbc:
print('[*]bytes error, not BC')
print('[*]maybe using wrong pubkey')
print(bstr.hex())
exit()
print('bstr:', bstr.hex())
mdb = bstr[:-33]
h2 = bstr[-33:-1]
print('mdb:', mdb.hex())
print('h2:', h2.hex())
lmdb = len(mdb)
mdb += b'\x00' * (0x10-(lmdb & 0xf) & 0xf)
mdbibs = [int.from_bytes(mdb[i:i+32], 'big') for i in range(0, lmdb, 32)]
lmdbibs = len(mdbibs)
db = b''
for i in range(lmdbibs):
iv = h2+(i).to_bytes(4, 'big')
tmp_hash = SHA256.new(iv).digest()
itmp = mdbibs[i] ^ int.from_bytes(tmp_hash, 'big')
db += itmp.to_bytes(32, 'big')
# print(iv.hex(), tmp_hash.hex(), mdbibs[i].to_bytes(32, 'big').hex())
# remove padding
db = db[:lmdb]
print('db:', db.hex())
if db[-33] != 0x01:
print('[*]db bytes error, not 01')
print('[*]maybe using wrong salt length')
exit()
salt = db[-32:]
print('salt:', salt.hex())
h = SHA256.new(m).digest()
print('m:', m)
print('h1:', h.hex())
mm = b'\x00'*8+h+salt
ch2 = SHA256.new(mm).digest()
print('mm:', mm.hex())
print('cal h2:', ch2.hex())
print('sig h2:', h2.hex())
if ch2 != h2:
print('[*]calculated hash error')
print('[*]using wrong message. check the message hash while signing')
print('[*]message hash:', h.hex())
print('[*]message:', m)
exit()
print('verified')